Securing Unix Filesystems - When Good Permissions Go Bad
|
|
- Curtis Leonard
- 5 years ago
- Views:
Transcription
1 Securing Unix Filesystems - When Good Permissions Go Bad Introduction Unix has a very elegant and flexible permission system at the heart of its filesystem security. These permissions allow and/or disallow access to each file on the system by various users and groups. Unfortunately, this system is often misused in such a manner that parts of the system become insecure, vulnerable to both malicious and accidental damage. The permission system revolves around three major components: mode, owner, and group. Each file on the system has all three of these elements. And each file, being present for a unique purpose, has individual needs. Not all files are alike, nor should they all have the same permissions. To blanketly apply one set of permissions to many files out of "convenience" is to undermine the very purpose of the permission system--keeping files as secure as possible. Yet this is exactly what happens on all too many systems that are deployed. Whether you are an administrator at some level, or an end-user that "just works there", let's take a few minutes to explore the permission system, and how it is best used, as well as the mistakes not to make. How It's Designed To Work The first thing to consider about files under unix systems is who owns them. There are two relevant settings in this case, the owner and group. The owner is a username. The group is a group name, which resolves (via /etc/group) to a list of usernames, any one of which will test as true when that group name is checked. Groups will make more sense after we've discussed the basics of modes. The -real- power of the system lies in the mode. There are two ways to deal with modes on a system level via the 'chmod' program--absolute and symbolic. Let's look first at the absolute modes. Absolute modes are specified in octal notation, and are bitmasks. Each digit place represents three bits of a two-byte mode, and can be set to a bitwise OR of potential values. The rest of the two bytes, in case you're counting bits, is used by the system for information about the type of file, and is not germaine to chmod(1). Basically, each place can be set from 0-7. Only 4, 2, and 1 are standalone settings. The remaining values are the results of bitwise OR's: 2+4 gives you 6, for instance. In code, it's a bitwise OR operation. Mathematically, you simply add the values for the bits you wish to set. Let's break down the bit setting functionality, remembering that there are four relevant places that we deal with when setting modes. We'll handle the leading place last, since it has some special functionality and is more complex than the others. The last three bit settings each correspond to owner, group, and others. Others would be any user that is not the owner, and does not belong to the group.
2 In each case, the following values have the following functionality: 4 - Read permission granted 2 - Write permission granted 1 - Execute permission granted 0 - No permission granted For files, the execute bit is exactly what it means; the file may be executed as a runnable program. In general, if it is a binary that runs under your platform, it is executed. If it is a script or other file, it is fed to an interpreter. A #!/path/to/interpreter line at the top of a script script is preferable, but if a file lacks one the file will be fed to the default shell interpreter. For directories, the execute bit signifies that the directory may be searched through, but not directly read. For instance, a directory with the execute bit set, but the read bit not set would allow you to access specific files under that directory by name, but you could not obtain a list of files in that directory with ls or any other program. An excellent demonstration of the usefulness of this is the idea of giving users access to a program by telling them what file to execute, but not letting them see other files in the same directory that you may not want them to. They can only use what they know about. If you've ever logged into an FTP cite and been curious enough to change directories into perhaps /bin but gotten an empty listing back, this is precisely the methodology used. The leading bit setting in a mode implements special functionality: If an executable has a leading place set to 4, when the program is executed, it is executed as the owner of the program, not the user calling it. This is referred to as SUID. If an executable is set to group execute mode (in any combination of logical ORs), and the leading place is set to 2, the executable is run with as if it were a member of the group that owns the file, rather than as the group of the calling user. This is referred to as SGID. If an executable is set to a non-execute group mode, and the leading place is set to 2, the file is mandatorily locked while any program accesses it, meaning that other programs may not read/write from or to that file. If the node is a directory, any files or subdirectories created there are created with the group ID of the parent directory with these modes set, rather than that of the calling process. If a directory is set with a leading place of 1, any user that would ordinarily be able to create a file or directory under it according to the rest of the permissions may do so--but, no other user may remove those files or directories. Only the owner of a file or directory (or the superuser) may remove a file from a directory with this bit set. This is referred to as the "sticky bit". It is possible to combine SUID and SGID (6), as well as SGID and the "sticky bit" (3). It is not possible to enable mandatory locking and SGID at the same time. It should be noted that the "mandatory locking" functionality appears to be system-dependant, and may not be available on your platform. Please consult your chmod(1) documentation for further details.
3 Symbolic modes are simply a mask representation of the absolute modes: u g o rwxrwxrwx (user, group, others) In the case of the first place from absolute notation, 4 will change the user execute position to read 's'. A setting of 2 will do the same thing at the group execute position. A setting of 1 will change the execute position for others to read as 't'. This last only works for directories, as the "sticky bit" has been depricated for files. You can read more on using symbolic modes with 'man chmod'. Permissions are evaluated left to right. This lends itself to some interesting situations that can be beneficial for security purposes. Take an example of a file with mode 0705, owner 'fairlite', group 'restricted'. This file may be read from, written to, or executed by 'fairlite', and read from and executed by all other users--except any user that belongs to the group 'restricted'. Because of the way permissions are evaluated in order, left to right, if you belong to that group, the evaluation for you ends there, and does not proceed on to "others". (It is worth noting for those that use a program like MS Internet Explorer to FTP files and change their modes that IE's verbiage of "All Users" really translates to "others" and is a complete misnomer.) Many people do not understand the evaluation order, and assume that the "others" setting will override user and group settings. This is not the case. Now that we have an overview of how permissions work (full details are available via 'man chmod' on unix systems), let's explore some of the foibles that create holes in security, and weakened security. Executable Data Put simply, there is NO reason for a data file to be executable. If a file is not meant to be run as a program, it does not need, nor should it have an executable bit set. Setting an executable bit on a program lets people run a program arbitrarily, without taking the extra step of calling a shell interpreter, at a minimum. For instance, if I had a text file (like this essay) which contained an example of a command sequence that was dangerous, such as: ;ls / ; rm -rf /home ;...anyone that happened to type the name of the file as a command would end up triggering a removal of the /home filesystem if they happened to have permission to do so. Ordinarily, this example would require you to be root or the owner of /home and its contents to do any damage, but as we see later, this is not always the case. Even if others cannot execute a file, if the owner has execute permissions and did this, they would wipe out any files they had permission to remove. One should also keep in mind that a file need not be set to executable to be executed. Anyone with permission to read the file may attempt to execute it by feeding it manually to an interpreter. A Bourne shell script with mode 0744 may still be executed by anyone on the system by using the command /bin/sh. You may wish to lock down read ability on scripts that you don't want others to run. One other thing that should be noted is that shell scripts require read permission to run. While binaries will run with only the execute bit set, an interpreter needs both the execute -and- read bits set, because it must first read the file.
4 World-Everything Directories There is nothing quite so insecure as a directory with the mode 0777 set, except perhaps leaving your keys in the ignition of your car, the doors unlocked, and putting a sign on the dash saying, "Steal me!" With the writeable bit set for "others", anyone may add or remove files to a directory, whether they own it or not. Similarly, group write permission may be dangerous if used incorrectly in the context of a general group. If all users are in group "users", there is generally no excuse or reason for having 077x permissions on a directory, as anyone in the group can remove anyone else's files. Spool directories where you want multiple users to write files should use the "sticky-bit", or a leading '1' in octal, such as 1777, or in the case of group access, 1775 (or stricter, depending on what the "others" need access to). This allows anyone (either in the group, in group-only context, or anyone at all in world-writeable context) to create a file in that directory, but ONLY the owner of the file may remove it. World-Everything and World-Writeable Files Even assuming you have your directories secure, your files should be secured as well. Assuming a mode 0666 on a file inside a directory that is moded 0755, anyone may actually open the file and write arbitrary data to it, or even wipe out segments of it, despite the fact that they cannot create new files in that directory. You don't need to have write permission to a directory to affect an insecure file inside that directory. Excessive SUID/SGID Privileges In these days of hightened security awareness, many vendors are trying very hard to (wisely) limit the number of programs that run SUID and/or SGID. Not all SUID/SGID files are "bad". For example, most mail transport agents run SGID at the least. The most potentially serious SUID programs are those owned by root. If a program is owned by a user that has no other privileges on the system, it is far safer if it breaks, because it can only damage files which pertain to it (assuming a properly designed system). The steps to keeping things as secure as possible are: Make sure the program really needs SUID or SGID permissions to function properly. Make the owner "isolated" if at all possible. It is easy to just set root ownership and SUID on a program so that it can write to anywhere. But if that program is ever vulnerable to an exploit, it could then enable a write to (or delete from!) anywhere that root can. In short, root's permissions would be gained. To keep this risk to a minimum, if you can run a web server as 'nobody' or 'www', a separate user who is isolated and really has no privileges anywhere outside its own subsystem, you should do so. The same applies to groups and SGID modes. If you are the developer of the program, ensure that the program drops its elevated privileges at every opportunity, especially before operations such as system(), fork(), and exec(). The less time a program spends with elevated privileges, the less chance there is for it to be exploited if a bug is discovered.
5 Summary Perhaps the simplest way of summing up permission management technique is, "Be paranoid." If you want a secure system, tighten things to the most stringent modes possible while maintaining usability. Use the permission system to its fullest potential to keep things hardened. Remember, not all attacks are external. But external attacks can lead to local attacks. And local attacks can be very costly, even if the attack is by a non-root account, if your permissions are lax. Tools One could use a variety of methods for scanning for various modes. The ls -la command is one of the most useful. You can spend a long time looking at and tweaking your filesystem contents to be more secure. I have written a utility that looks for the "most dangerous" modes that require close observation (SGID/ SUID), or outright fixing ("group" and/or "other" write modes either alone or in concert with other modes). This tool is written in Perl version 5, and generates full reports. It will even them to you, if you have a usable SMTP server at your disposal. It tracks files it has already found, so if you set it up to run every evening on your system and point it at /home or wherever your users keep files, you can run selected audits and see dangerous changes as they appear, but not be bothered with the rest. You may, of course, request a full audit report at any time. With multiple, selectable output formats, you can choose the output that's right for you. You also get the source code, so you can add or remove scan modes if you wish. If you wish to acquire this program, the Fairlight Permission Analysis Assistant, please click here to license it. The license cost is $59.95 per system. As titled, the program is an assistant. It will report its findings. Not all of the results are bad, or require fixing. It is the responsibility of the person doing the analysis to recognize the import of what results are given to them. The analysis process still takes time and effort, but this tool does the data collection for you in a convenient manner. System requirements for flpaa are: Perl 5.6 or higher Getopt::Long Copyright , Fairlight Consulting. All rights reserved.
5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9
File Security, Setting and Using Permissions Chapter 9 To show the three protection and security mechanisms that UNIX provides To describe the types of users of a UNIX file To discuss the basic operations
More informationFile Properties and Permissions
File Properties and Permissions Managing File Access in Linux Peter Perry July 2009 What is it about? Open a shell (terminal) and type ls -l You get quite a bit of information about each file. Tonight,
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 13: Operating System Security Department of Computer Science and Engineering University at Buffalo 1 Review Previous topics access control authentication session
More informationFiles (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1
Files (review) and Regular Expressions Todd Kelley kelleyt@algonquincollege.com CST8207 Todd Kelley 1 midterms (Feb 11 and April 1) Files and Permissions Regular Expressions 2 Sobel, Chapter 6 160_pathnames.html
More informationWeb Servers and Security
Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market (Apache has 70%; IIS has 20%) Both major servers have lots
More informationWeb Servers and Security
Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache has 49%; IIS has 36% (source: http://news.netcraft.com/archives/2008/09/30/
More informationOutline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines
Outline Operating System Security CS 239 Computer Security February 23, 2004 Introduction Memory protection Interprocess communications protection File protection Page 1 Page 2 Introduction Why Is OS Security
More informationArchitecture. Steven M. Bellovin October 27,
Architecture Steven M. Bellovin October 27, 2015 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More informationIntroduction to Computer Security
Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability,
More informationData Security and Privacy. Unix Discretionary Access Control
Data Security and Privacy Unix Discretionary Access Control 1 Readings for This Lecture Wikipedia Filesystem Permissions Other readings UNIX File and Directory Permissions and Modes http://www.hccfl.edu/pollock/aunix1/filepermissions.htm
More informationPermission and Ownership
Permission and Ownership 1. Understanding file and directory ownership Every file on your Linux system, including directories, is owned by a specific user and group. Therefore, file permissions are defined
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path TCP wrappers Race conditions NOTE: filenames may differ between OS/distributions
More informationWho am I? I m a python developer who has been working on OpenStack since I currently work for Aptira, who do OpenStack, SDN, and orchestration
Who am I? I m a python developer who has been working on OpenStack since 2011. I currently work for Aptira, who do OpenStack, SDN, and orchestration consulting. I m here today to help you learn from my
More informationUNIX File Hierarchy: Structure and Commands
UNIX File Hierarchy: Structure and Commands The UNIX operating system organizes files into a tree structure with a root named by the character /. An example of the directory tree is shown below. / bin
More informationA Big Step. Shell Scripts, I/O Redirection, Ownership and Permission Concepts, and Binary Numbers
A Big Step Shell Scripts, I/O Redirection, Ownership and Permission Concepts, and Binary Numbers Copyright 2006 2009 Stewart Weiss What a shell really does Here is the scoop on shells. A shell is a program
More informationCSE II-Sem)
a) Write a shell script that displays a list of all the files in the current directory to which the user has read, write and execute permissions. b) Develop an interactive script that asks for a word and
More informationScripting. Shell Scripts, I/O Redirection, Ownership and Permission Concepts, and Binary Numbers
Scripting Shell Scripts, I/O Redirection, Ownership and Permission Concepts, and Binary Numbers Adapted from Practical Unix and Programming Hunter College Copyright 2006 2009 Stewart Weiss What a shell
More informationOutline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components
UNIX security Ulf Larson (modified by Erland Jonsson/Magnus Almgren) Computer security group Dept. of Computer Science and Engineering Chalmers University of Technology, Sweden Outline UNIX security ideas
More informationChapter 1 - Introduction. September 8, 2016
Chapter 1 - Introduction September 8, 2016 Introduction Overview of Linux/Unix Shells Commands: built-in, aliases, program invocations, alternation and iteration Finding more information: man, info Help
More informationTECH 4272 Operating Systems
TECH 4272 Lecture 3 2 Todd S. Canaday Adjunct Professor Herff College of Engineering sudo sudo is a program for Unix like computer operating systems that allows users to run programs with the security
More informationPhysics REU Unix Tutorial
Physics REU Unix Tutorial What is unix? Unix is an operating system. In simple terms, its the set of programs that makes a computer work. It can be broken down into three parts. (1) kernel: The component
More informationCS61 Scribe Notes Date: Topic: Fork, Advanced Virtual Memory. Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu
CS61 Scribe Notes Date: 11.6.14 Topic: Fork, Advanced Virtual Memory Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu Administrivia: Final likely less of a time constraint What can we do during
More informationThis document describes version 2.07 of File::Path, released
NAME VERSION SYNOPSIS File::Path - Create or remove directory trees This document describes version 2.07 of File::Path, released 2008-11-09. use File::Path qw(make_path remove_tree); make_path('foo/bar/baz',
More informationSome Linux (Unix) Commands that might help you in ENSC351
Some Linux (Unix) Commands that might help you in ENSC351 First, like Windows, Linux and Unix (for our purposes, they are the basically the same) use a hierarchical directory structure. What would be called
More informationUser Commands chmod ( 1 )
NAME chmod change the permissions mode of a file SYNOPSIS chmod [-fr] absolute-mode file... chmod [-fr] symbolic-mode-list file... DESCRIPTION The chmod utility changes or assigns the mode of a file. The
More informationWorking with Basic Linux. Daniel Balagué
Working with Basic Linux Daniel Balagué How Linux Works? Everything in Linux is either a file or a process. A process is an executing program identified with a PID number. It runs in short or long duration
More informationThis document describes version 2.09 of File::Path, released
NAME VERSION SYNOPSIS File::Path - Create or remove directory trees This document describes version 2.09 of File::Path, released 2013-01-17. use File::Path qw(make_path remove_tree); make_path('foo/bar/baz',
More informationbash startup files Linux/Unix files stty Todd Kelley CST8207 Todd Kelley 1
bash startup files Linux/Unix files stty Todd Kelley kelleyt@algonquincollege.com CST8207 Todd Kelley 1 midterms (Feb 27 and April 10) bash startup files More Linux Files review stty 2 We customize our
More informationPermissions and Links
Permissions and Links The root account Setuid and Setgid Permissions Setting Setuid and Setgid with chmod Directory Access Permissions Links o Two Types of Links o The ln command o Removing a link The
More informationExploring UNIX: Session 3
Exploring UNIX: Session 3 UNIX file system permissions UNIX is a multi user operating system. This means several users can be logged in simultaneously. For obvious reasons UNIX makes sure users cannot
More informationCS/CIS 249 SP18 - Intro to Information Security
Lab assignment CS/CIS 249 SP18 - Intro to Information Security Lab #2 - UNIX/Linux Access Controls, version 1.2 A typed document is required for this assignment. You must type the questions and your responses
More informationWhen talking about how to launch commands and other things that is to be typed into the terminal, the following syntax is used:
Linux Tutorial How to read the examples When talking about how to launch commands and other things that is to be typed into the terminal, the following syntax is used: $ application file.txt
More informationCPS221 Lecture: Operating System Protection
Objectives CPS221 Lecture: Operating System Protection last revised 9/5/12 1. To explain the use of two CPU modes as the basis for protecting privileged instructions and memory 2. To introduce basic protection
More informationArchitecture. Steven M. Bellovin October 31,
Architecture Steven M. Bellovin October 31, 2016 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More informationRace Condition Vulnerability Lab
Concordia Institute for Information Systems Engineering - INSE 6130 1 Race Condition Vulnerability Lab Copyright c 2006-2012 Wenliang Du, Syracuse University. The development of this document is funded
More informationINSE 6130 Operating System Security. Overview of Design Principles
INSE 6130 Operating System Security Design Principles Prof. Lingyu Wang 1 Overview of Design Principles Design principles Time-proven guidelines For implementing security mechanisms/systems Rooted in simplicity
More informationPESIT Bangalore South Campus
INTERNAL ASSESSMENT TEST - 2 Date : 20/09/2016 Max Marks : 0 Subject & Code : Unix Shell Programming (15CS36) Section : 3 rd Sem ISE/CSE Name of faculty : Prof Ajoy Time : 11:30am to 1:00pm SOLUTIONS 1
More informationOverview LEARN. History of Linux Linux Architecture Linux File System Linux Access Linux Commands File Permission Editors Conclusion and Questions
Lanka Education and Research Network Linux Architecture, Linux File System, Linux Basic Commands 28 th November 2016 Dilum Samarasinhe () Overview History of Linux Linux Architecture Linux File System
More informationOperating system security models
Operating system security models Unix security model Windows security model MEELIS ROOS 1 General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path Race conditions NOTE: filenames may differ between OS/distributions Principals
More informationUsers and Groups. his chapter is devoted to the Users and Groups module, which allows you to create and manage UNIX user accounts and UNIX groups.
cameron.book Page 19 Monday, June 30, 2003 8:51 AM C H A P T E R 4 Users and Groups T his chapter is devoted to the Users and Groups module, which allows you to create and manage UNIX user accounts and
More informationIntroduction to Unix May 24, 2008
Introduction to Unix May 24, 2008 Exercises: Privileges REFERENCE Reference: Shah, Steve, "Linux Administration: A Beginner's Guide", 2nd. ed., Osborne press, New York, NY. If you look at files in a directory
More informationComputer Engineering II Solution to Exercise Sheet Chapter 6
Distributed Computing FS 2018 Prof. R. Wattenhofer Computer Engineering II Solution to Exercise Sheet Chapter 6 Basic 1 HDDs a) For a random workload, we can assume that the head is equally likely to be
More informationUNIX Administration Course
UNIX Administration Course UNIX Fundamentals: File Ownership Copyright 1999 by Ian Mapleson BSc. Version 1.0 mapleson@gamers.org Tel: (+44) (0)1772 893297 Fax: (+44) (0)1772 892913 WWW: http://www.futuretech.vuurwerk.nl/
More informationCST8207: GNU/Linux Operating Systems I Lab Six Linux File System Permissions. Linux File System Permissions (modes) - Part 1
Student Name: Lab Section: Linux File System Permissions (modes) - Part 1 Due Date - Upload to Blackboard by 8:30am Monday March 12, 2012 Submit the completed lab to Blackboard following the Rules for
More information: the User (owner) for this file (your cruzid, when you do it) Position: directory flag. read Group.
CMPS 12L Introduction to Programming Lab Assignment 2 We have three goals in this assignment: to learn about file permissions in Unix, to get a basic introduction to the Andrew File System and it s directory
More informationChapter Two. Lesson A. Objectives. Exploring the UNIX File System and File Security. Understanding Files and Directories
Chapter Two Exploring the UNIX File System and File Security Lesson A Understanding Files and Directories 2 Objectives Discuss and explain the UNIX file system Define a UNIX file system partition Use the
More informationCSE 390a Lecture 3. Multi-user systems; remote login; editors; users/groups; permissions
CSE 390a Lecture 3 Multi-user systems; remote login; editors; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller and Ruth Anderson http://www.cs.washington.edu/390a/ 1
More informationINSE 6130 Operating System Security
INSE 6130 Operating System Security Design Principles Prof. Lingyu Wang 1 1 Overview of Design Principles Design principles Time-proven guidelines For implementing security mechanisms/systems Rooted in
More informationUnix Groups and Users
CHMOD TUTORIAL AND XOOPS FILE SECURITIES The Xoops Site Security Guide has dealt with securities issues almost exclusively about possible intrusions or threats from outside of your Xoops site or server.
More informationUser Commands ls ( 1 )
NAME ls list contents of directory SYNOPSIS /usr/bin/ls [-aabccdffghillmnopqrrstux1@] [file...] /usr/xpg4/bin/ls [-aabccdffghillmnopqrrstux1@] [file...] DESCRIPTION For each file that is a directory, ls
More informationParanoid Penguin rsync, Part I
Paranoid Penguin rsync, Part I rsync makes efficient use of the network by only transferring the parts of files that are different from one host to the next. Here's how to use it securely. by Mick Bauer
More informationTEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control
TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control Version 1.0, Last Edited 09/20/2005 Name of Students: Date of Experiment: Part I: Objective The objective of the exercises
More informationCHAPTER 2. Troubleshooting CGI Scripts
CHAPTER 2 Troubleshooting CGI Scripts OVERVIEW Web servers and their CGI environment can be set up in a variety of ways. Chapter 1 covered the basics of the installation and configuration of scripts. However,
More informationRED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2. 3 June 2013
RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2 3 June 2013 Developed by Red Hat, NSA, and DISA for the DoD Trademark Information Names, products,
More informationCS Fundamentals of Programming II Fall Very Basic UNIX
CS 215 - Fundamentals of Programming II Fall 2012 - Very Basic UNIX This handout very briefly describes how to use Unix and how to use the Linux server and client machines in the CS (Project) Lab (KC-265)
More informationOperating system security
Operating system security Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Outline Access control models in operating systems: 1. Unix 2. Windows Acknowledgements: This
More informationlsx [ls_options ] [names]
NAME ls, lc, l, ll, lsf, lsr, lsx - list contents of directories SYNOPSIS ls [-abcdefgilmnopqrstuxacfhlr1] [names] lc [-abcdefgilmnopqrstuxacfhlr1] [names] l [ls_options ] [names] ll [ls_options ] [names]
More informationUnix Filesystem. January 26 th, 2004 Class Meeting 2
Unix Filesystem January 26 th, 2004 Class Meeting 2 * Notes adapted by Christian Allgood from previous work by other members of the CS faculty at Virginia Tech Unix Filesystem! The filesystem is your interface
More informationUnix Basics. UNIX Introduction. Lecture 14
Unix Basics Lecture 14 UNIX Introduction The UNIX operating system is made up of three parts; the kernel, the shell and the programs. The kernel of UNIX is the hub of the operating system: it allocates
More informationOperating System Interaction via bash
Operating System Interaction via bash bash, or the Bourne-Again Shell, is a popular operating system shell that is used by many platforms bash uses the command line interaction style generally accepted
More informationOperating Systems, Unix Files and Commands SEEM
Operating Systems, Unix Files and Commands SEEM 3460 1 Major Components of Operating Systems (OS) Process management Resource management CPU Memory Device File system Bootstrapping SEEM 3460 2 Programs
More informationInformation Security CS 526
Information Security CS 526 s Security Basics & Unix Access Control 1 Readings for This Lecture Wikipedia CPU modes System call Filesystem Permissions Other readings UNIX File and Directory Permissions
More informationTo find all files on your file system that have the SUID or SGID bit set, execute:
File System Security Checks There are certain files whose presence in the Linux file system can present a security risk and should be remedied as soon as possible. When the SUID (set user ID) or SGID (set
More informationUNIX/Linux Auditing. Baccam Consulting, LLC Training Events
UNIX/Linux Auditing Baccam Consulting, LLC tanya@securityaudits.org Training Events www.securityaudits.org/events.html ***CISSP Course being offered April 25-April 29, 2016 Copyright 2005-2016, Baccam
More informationCapability and System Hardening
P a g e 1 Date Assigned: mm/dd/yyyy Date Due: mm/dd/yyyy by hh:mm Educational Objectives Capability and System Hardening This lab is designed to help you gain a better understanding of system hardening
More informationUser Accounts. The Passwd, Group, and Shadow Files
User Accounts The Passwd, Group, and Shadow Files We'll start with the passwd (pronounced "password") file, located at /etc/passwd. This file holds information about all of the user accounts on the system.
More informationCS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!
CS 642 Homework #4 Due Date: 11:59 p.m. on Tuesday, May 1, 2007 Warning! In this assignment, you will construct and launch attacks against a vulnerable computer on the CS network. The network administrators
More informationUnix File System. Class Meeting 2. * Notes adapted by Joy Mukherjee from previous work by other members of the CS faculty at Virginia Tech
Unix File System Class Meeting 2 * Notes adapted by Joy Mukherjee from previous work by other members of the CS faculty at Virginia Tech Unix File System The file system is your interface to: physical
More informationINTRODUCTION TO LINUX
INTRODUCTION TO LINUX REALLY SHORT HISTORY Before GNU/Linux there were DOS, MAC and UNIX. All systems were proprietary. The GNU project started in the early 80s by Richard Stallman Goal to make a free
More informationShell Scripting. Todd Kelley CST8207 Todd Kelley 1
Shell Scripting Todd Kelley kelleyt@algonquincollege.com CST8207 Todd Kelley 1 If we have a set of commands that we want to run on a regular basis, we could write a script A script acts as a Linux command,
More informationCase Studies in Access Control
Joint software development Mail 1 / 38 Situations Roles Permissions Why Enforce Access Controls? Unix Setup Windows ACL Setup Reviewer/Tester Access Medium-Size Group Basic Structure Version Control Systems
More informationUnix as a Platform Exercises + Solutions. Course Code: OS 01 UNXPLAT
Unix as a Platform Exercises + Solutions Course Code: OS 01 UNXPLAT Working with Unix Most if not all of these will require some investigation in the man pages. That's the idea, to get them used to looking
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationLecture 2b. Pathnames, files, special characters in filenames, and file permissions. COP 3353 Introduction to UNIX, FALL 2013
Lecture 2b Pathnames, files, special characters in filenames, and file permissions. COP 3353 Introduction to UNIX, FALL 2013 Files Files A well defined repository of information Program or component of
More informationFiles
http://www.cs.fsu.edu/~langley/cop3353-2013-1/reveal.js-2013-02-11/02.html?print-pdf 02/11/2013 10:55 AM Files A normal "flat" file is a collection of information. It's usually stored somewhere reasonably
More informationCS 215 Fundamentals of Programming II Spring 2019 Very Basic UNIX
CS 215 Fundamentals of Programming II Spring 2019 Very Basic UNIX This handout very briefly describes how to use Unix and how to use the Linux server and client machines in the EECS labs that dual boot
More informationShellbased Wargaming
Shellbased Wargaming Abstract Wargaming is a hands-on way to learn about computer security and common programming mistakes. This document is intended for readers new to the subject and who are interested
More informationUNIX: Departmental Library Management on AIX
Departmental Library Management on AIX SYNOPSIS This document describes the basics of departmental library management as it is performed on the AIX operating system with the utilities provided by Information
More informationLinux Systems Administration Getting Started with Linux
Linux Systems Administration Getting Started with Linux Network Startup Resource Center www.nsrc.org These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International
More information6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.
6.858 Lecture 4 OKWS Administrivia: Lab 1 due this Friday. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS. Privilege separation
More informationSeeing file permission/ownership ls -l (Shows the long listing of a file/directory, which allows you to see file permission & ownership)
Objective 104.5 Manage file permission and ownership by Christine Bresnahan: Christine-Bresnahan.com Manage access permissions on regular and special files as well as directories. Use access modes such
More informationCase Study: Access Control. Steven M. Bellovin October 4,
Case Study: Access Control Steven M. Bellovin October 4, 2015 1 Case Studies in Access Control Joint software development Mail Steven M. Bellovin October 4, 2015 2 Situations Small team on a single machine
More informationThe UNIX File System
The UNIX File System Magnus Johansson (May 2007) 1 UNIX file system A file system is created with mkfs. It defines a number of parameters for the system as depicted in figure 1. These paremeters include
More informationIS 2150 / TEL 2810 Information Security and Privacy
IS 2150 / TEL 2810 Information Security and Privacy James Joshi Professor, SIS Access Control OS Security Overview Lecture 2, Sept 6, 2016 1 Objectives Understand the basics of access control model Access
More informationRBS NetGain Enterprise Manager Multiple Vulnerabilities of 11
RBS-2018-004 NetGain Enterprise Manager Multiple Vulnerabilities 2018-03-22 1 of 11 Table of Contents Vendor / Product Information 3 Vulnerable Program Details 3 Credits 3 Impact 3 Vulnerability Details
More informationPrivileges: who can control what
Privileges: who can control what Introduction to Unix May 24, 2008, Morocco Hervey Allen Goal Understand the following: The Unix security model How a program is allowed to run Where user and group information
More informationUnix as a Platform Exercises. Course Code: OS-01-UNXPLAT
Unix as a Platform Exercises Course Code: OS-01-UNXPLAT Working with Unix 1. Use the on-line manual page to determine the option for cat, which causes nonprintable characters to be displayed. Run the command
More informationChapter 8: Security under Linux
Chapter 8: Security under Linux 8.1 File and Password security Linux security may be divided into two major parts: a) Password security b) File security 8.1.1 Password security To connect to a Linux system
More informationExercise Sheet 2. (Classifications of Operating Systems)
Exercise Sheet 2 Exercise 1 (Classifications of Operating Systems) 1. At any given moment, only a single program can be executed. What is the technical term for this operation mode? 2. What are half multi-user
More informationCS197U: A Hands on Introduction to Unix
CS197U: A Hands on Introduction to Unix Lecture 3: UNIX Operating System Organization Tian Guo CICS, Umass Amherst 1 Reminders Assignment 2 is due THURSDAY 09/24 at 3:45 pm Directions are on the website
More informationcommandname flags arguments
Unix Review, additional Unix commands CS101, Mock Introduction This handout/lecture reviews some basic UNIX commands that you should know how to use. A more detailed description of this and other commands
More information1 Installation (briefly)
Jumpstart Linux Bo Waggoner Updated: 2014-09-15 Abstract A basic, rapid tutorial on Linux and its command line for the absolute beginner. Prerequisites: a computer on which to install, a DVD and/or USB
More informationCENG 334 Computer Networks. Laboratory I Linux Tutorial
CENG 334 Computer Networks Laboratory I Linux Tutorial Contents 1. Logging In and Starting Session 2. Using Commands 1. Basic Commands 2. Working With Files and Directories 3. Permission Bits 3. Introduction
More informationCSE 390a Lecture 4. Persistent shell settings; users/groups; permissions
CSE 390a Lecture 4 Persistent shell settings; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller and Ruth Anderson http://www.cs.washington.edu/390a/ 1 2 Lecture summary
More informationProgramming Project # 2. cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel)
Programming Project # 2 cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel) Background context Unix permissions model Prof Mitchell will cover during OS security (next week
More informationSecure Programming Learning objectives. and Best Practices. Windows shells Launches programs, including other shells Provides
2 Learning objectives 1 Secure Programming Shell and Environment Flaws Ahmet Burak Can Hacettepe University Understand how shells interpret commands, launch and provide environments for processes Understand
More informationSecure Programming. Shell and Environment Flaws. Ahmet Burak Can Hacettepe University
Secure Programming Shell and Environment Flaws 1 Ahmet Burak Can Hacettepe University 2 Learning objectives Understand how shells interpret commands, launch and provide environments for processes Understand
More informationWhat is version control? (discuss) Who has used version control? Favorite VCS? Uses of version control (read)
1 For the remainder of the class today, I want to introduce you to a topic we will spend one or two more classes discussing and that is source code control or version control. What is version control?
More informationUnix Introduction to UNIX
Unix Introduction to UNIX Get Started Introduction The UNIX operating system Set of programs that act as a link between the computer and the user. Developed in 1969 by a group of AT&T employees Various
More information